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Outline 



• Cloud Service Providers and Security 

• Developing a Strategic Cloud Security 
Roadmap 

• Questions to Ask a CSP - make an informed 
decision 
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Introduction 



• Looking to the cloud 

• Gartner says that in 
2012, 80% of Fortune 
1000 enterprises will 
pay for cloud services 

• Another 30% will pay 
for cloud infrastructure 

• Cloud summary 

• Infrastructure as a Service (laaS), Platform as a 
Service (PaaS) and Software as a Service (SaaS) 

• Cloud Service Provider (CSP) 
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Customers and the Cloud 



Cloud service providers (CSP) do not think security 
is a reason for customers to use their services. 
The top choices are reduced cost, faster 
deployment time, improved customer service, and 
increased efficiency. 
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Faster deployment time 
Improve customer service 
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crease flexibility and choice 

Improve security 

with agreements & policies 
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Source: "Security of Cloud Computing Providers Study", Ponemon Institute (April 2011) 
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Cloud Security Risks 



Areas cloud providers are most confident: 

• ability to ensure recovery from significant IT failures 

• ensure physical location of data assets are in secure 
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Source: "Security of Cloud 
Computing Providers Study" 
Ponemon Institute (April 2011) 
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Areas cloud providers are least confident: 

• ability to restrict privileged user access to sensitive data 

• ensure proper data segregation requirements are met 
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Other CSP Findings 



Majority of CSPs believe it is 
the customer's responsibility 
to secure the cloud. 
Majority say their systems and 
applications are not always 
evaluated for security threats 
prior to deployment to 
customers. 

Majority of CSPs in the study 
admit they do not have 
dedicated security personnel 
Different priorities between 
users and CSPs with regards to 
critical security areas 



Who is most responsible for ensuring the 
security of cloud resources by cloud providers? 
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Critical areas of security for cloud providers 




Source: "Security of Cloud Computing Providers 
Study", Ponemon Institute (April 2011) 
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Cloud Service Models 



Differences in scope and control among cloud 
service models (cloud provider vs. consumer) 



Role Clarity 
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Source: Cloud Security Alliance 
(CSA) 
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Service Agreements 




• Service agreements 

• Terms & conditions of access 

• Use of services 

• Service period, exit conditions 

• Pre-defined non-negotiable 
agreements vs. negotiated agreements 

• Pre-defined: prescribed by CSP, not written 
to align with regulations, unilateral 
changes, basis for economies of scale 

• Negotiated: can be used to address specific 
concerns, normally more costly 
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Cloud Security Roadmap 



Developing a strategic cloud security 
roadmap 
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Define Business St IT Strategy 



• Business-centric security 

• Understand the business 
requirements 

• Define appropriate policies 

• Data sensitivity 

• Low, medium & high sensitivity 

• Cross border questions 

• Risk appetite 

• Will direct the scope & depth of cloud services 

• Business agreement on acceptable risk 
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Define GRC Strategy 
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Survivability and 
Legal Matters 



" Enhanced Training 
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" Due Diligence 



and Awareness 
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Survivability St Legal Strategy 




• Traditional strategies may not apply 

• Move to the cloud requires 
new approaches 

• Transfer of risk to cloud 
provider? 

• Legal analysis of the liabilities? 

• Implications on information ownership & usage 
rights? 

• Discussions on containment, segregation, 
monitoring & response, and a strong 
"right to audit" is needed 
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Enhanced Policies 



Governance 



• Policy framework need to go beyond traditional 
approaches 

• Policies need to map each policy requirement with 
specific control requirements, and tied to business 
and/or regulatory requirements 

• These enhanced 

i - 

policies provide 
clearer guidance j c ° 

in defining and 
managing the 
organisation's \ s 

cloud security approaches 
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Enhanced Policies 



Governance 

Sections and 
Government Requirement 



Sections and 
Corporate ISMF Requirement Policy 
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Source: Adapted from Cloud Security Alliance (CSA) 
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Formal Processes 
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• Adhoc processes will not do 

• Decision methodology and risk 
management processes need to be 
clearly defined and understood 

• Security practices need to be 
documented taking into 
consideration that direct 
infrastructure management may 
not be possible 

• Visibility of the environment must 
be maintained with key metrics 
identified and tracked 
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Enhanced Training & Awareness 



• Are current training programs appropriate? 

• Define training objectives: 

rationale and importance ^^"^^^ 

of enhanced policies and 

controls 

• Identify tie-in with daily 
responsibilities 

• Identify desired outcomes 
that improves decision making that have impact 
on security 
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Audit fit Due Diligence 






• Ask the right questions! 

• Tie audit fit quality 
management to specific 
requirements, assets fit 
objectives 

• Define items specifically to allow for 
improved visibility into practices 

• How does the audit program allow your 
organisation to more effectively manage 
risk? 
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Ask the Right Questions 



• What are the implications on information 
ownership & usage rights? Consider data 
location issues. 

• What types of technical & non-technical 
controls are available to ensure data 
integrity & availability? 

• What mechanisms are in place to ensure 
appropriate segregation? 
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Ask the Right Questions 



• What are the exit procedures fit related 
costs? Consider data retention risks. 

• How are security responsibilities defined? 

• What monitoring fit reporting mechanisms are 
available? 
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Ask the Right Questions 



• Is there a right to audit? Or adequate audit 
coverage by 3 rd party? 

• What are the obligations between parties if 
things go wrong? 

• Is there a formal plan to handle data security 
breaches? 
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Risk Assessment 



• Identify risks 

• Legislative or regulatory 

• Compliance obligations 

• Multi-tenancy 

• Data security 

• Data ownership 

• Business continuity 

• Contractual agreements 

• Vendor lock-in -^ Data lock-in? 
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Vendor Selection 





Due diligence 
Data location 
^ Available controls 
S' Certification 
S" Vulnerability 
management 
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Develop your 

checklist 

Use available 

guides and 

resources 

wherever 

applicable 

• NIST 800-144, 145, 
146 

• CSA Cloud Controls 
Matrix, Consesus 
Assessments Initiative, 
Security Guidance v3 
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Document the Plan 



• Analysis of key business/ IT 
transformations 

• Development of the solution 

• Conduct QA and testing 

• Implementation steps 

• Back-out measures 





Get business agreement 
on the plan and 
associated risks 
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Moving Forward 



• Understand the cloud, get expert advice if needed 

• Analyse business requirements & IT capabilities 

• Define a robust GRC program that considers 
cloud risks and concerns 

• Know your data/know how to secure it 

• Identify the risks & legal o bligations 

• Ask the right questions 

• Select appropriate CSP 

• Verify exit requirements 
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Thank you 



Review our whitepapers at 

www.senseofsecu rity.com .au/resea rch/it-secu rity-a rticles 



